1. Field
Embodiments of the invention provide techniques for testing the effectiveness of a malware signature. More specifically, embodiments presented herein disclose a metadata driven approach for efficiently identifying true/false positives and true/false negatives made by a candidate malware signature.
2. Description of the Related Art
“Malware” generally refers to malicious software applications configured to disrupt computer operation, gather sensitive information, or gain unauthorized access or control of a computing system. While the effect of malware can is be relatively benign, malware is increasingly used by criminals seeking to gather private information (e.g., banking credentials) or take control of computing systems to create “botnets.” Further, while malware has typically been directed to conventional computing systems (e.g., desktop and laptop systems running versions of the Windows® operating system), the dramatic rise of mobile telephones and tablets has expanded the systems targeted by malware. For example, mobile telephones and tablets provide considerable computing power and network connectivity. Further, the widespread use of online application marketplaces to distribute software (commonly referred to as “apps”) has come to provide a significant vector for distributing malware to mobile devices. Once installed, such malware can exploit vulnerabilities to gain control of a device, capture sensitive information, (e.g., banking app usernames and passwords). Similarly, malware apps can be distributed as legitimate applications, and rely on “social engineering” to trick individuals into installing, using, and providing information.
Given the well-known threat of malware, significant research and development has gone into preventing, detecting, and cleaning malware from computing systems. For example, in addition to mechanisms for updating software vulnerabilities in applications obtained from online marketplaces, a variety of scanning and analysis applications are used to detect the presence of malware, as well as prevent it from being installed. Typically, such software relies on a set of signatures to detect malware. Each signature is composed to identify a set of distinct features of a given malware package. As a result, the effectiveness of malware detection tools directly depends on the quality of the signatures. As new malware packages are identified, new signatures have to be created and evaluated.